Credit Unions and the Data Security Act of 2015

Credit Unions lost a lot of money due to recent breaches, so financial institutions are eager to see merchants held to higher standards for data security.

Receiving an email from my friendly local credit union is seldom something that piques my interest. And unless it’s a breach notification (such as after the Target breach), it’s even more rare for such missives to have anything that’s relevant to my interests in security or privacy. The other day, though, I received an email that was genuinely exciting and informative.

The content of this particular email began with an explanation of the costs to consumers and credit unions alike when retail merchants are breached. This struck me as strange; what did they want me to do about that? (Aside from what I’m already doing by speaking to the press and writing a bunch of How-To articles on computer security, that is.) But in the last few sentences, they included a plea for us to contact our local U.S Representative and Senators to support a new data security bill.

Data Security Act of 2015

Several weeks ago, Representatives Randy Neugebauer (a Republican from Texas) and John Carney (a Democrat from Delaware), Senators Tom Carper (Democrat from Delaware) and Roy Blunt (Republican from Missouri) introduced legislation in the House and Senate, called the Data Security Act of 2015, titled S. 961 and H.R. 2205. This bill is meant to better protect consumers from identity theft and account fraud by establishing a clear set of national standards that would help prevent and respond to data breaches.

You may wonder, as I did, why this legislation is of particular interest to credit unions. From a practical perspective, Credit Unions lost quite a lot of money due to recent breaches: A February 2015 National Association of Federal Credit Union (NAFCU) survey reports that credit unions spent an average of $136,000 on data security measures in 2014 and had $226,000 in costs associated with merchant data breaches. According to a Credit Union National association (CUNA) survey, the Target and Home Depot breaches cost Credit Unions in the US $30.6 million and $57.4 million respectively. This cost included replacing 4.6 million payment cards in the aftermath of the Target breach and 7.2 million after the Home Depot breach.

As these costs are often not reimbursed, you can imagine that financial institutions might be eager to see merchants held to higher standards for data security, much as financial institutions already are. Indeed, NAFCU has backed the Data Security Act and has participated in extensive media coverage in support of this legislation.

Now you know

As someone steeped in security news all day, I was impressed that the email about this new legislation was so prompt that this was the first I’d heard of it. And as I poked around to learn about the subject of the email for this article, I was surprised to learn how much Credit Unions in the US are involved with political activism around data security. Whether or not you think the proposed legislation is the right way forward (and I’m still reading it) there’s no faulting the effort CUs are making to improve security.

Their StopTheDataBreaches website even has a short list of risk management practices for members and credit unions that included a couple items I’d not been aware of myself. As they are not-for-profit organizations, it probably should not have surprised me that they’re trying hard to decrease what has been a major drain for all financial institutions. It’s good to know that even after close to two decades in the information security industry, there’s still a lot for me to learn about data security activism and education efforts!